In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Wednesday, April 29, 2015

One of the goals of Snort++ is to provide a more flexible framework for packet processing by implementing an event-driven approach. Another is to produce data only when needed, to minimize expensive normalizations. To help explain these concepts, let's start by examining how Snort processes packets. The key steps are given in the following figure:

Snort 2X Packet Processing

The preprocess step is highly configurable. Arbitrary preprocessors can be loaded dynamically at startup, configured in snort.conf, and then executed at runtime. Basically, the preprocessors are put into a list which is iterated for each packet. Recent versions have tweaked the list handling
some, but the same basic architecture has allowed Snort to grow from a sniffer, with no preprocessing, to a full-fledged IPS, with lots of preprocessing.

While this "list of plugins" approach has considerable flexibility, it hampers future development where the flow of data from one preprocessor to the next depends on traffic conditions, a common situation with advanced features like application identification. In this case, a preprocessor like HTTP may be extracting and normalizing data that ultimately is not used, or app ID may be repeatedly checking for data that is just not available.

Callbacks help break out of the preprocess straightjacket. This is where one preprocessor supplies another with a function to call when certain data is available. Snort has started to take this approach to pass some HTTP and SIP preprocessor data to app ID. However, it remains a peripheral feature and still requires the production of data that may not be consumed.

The basic processing steps Snort++ takes are similar to Snort's as seen in the following diagram. The preprocess step employs specific inspector types instead of a generalized list, but the basic procedure includes stateless packet decoding, TCP stream reassembly, and service specific analysis in both cases. (Snort++ provides hooks for arbitrary inspectors, but they are not central to basic flow processing and are not shown.)

Snort 3X Packet Processing

However, Snort++ also provides a more flexible mechanism than callback functions. By using inspection events, it is possible for an inspector to supply data that other inspectors can process. This is known as the observer pattern or publish-subscribe pattern.

Note that the normalized data is not actually published. Instead, access to the data is published, and that means that subscribers can access the raw or normalized version(s) as needed. Normalizations are done only on the first access, and subsequent accesses get the previously normalized data. This results in just in time (JIT) processing.

A basic example of this in action is provided by the extra data_log plugin. It is a passive inspector, ie it does nothing until it receives the data it subscribed for ('other' in the above diagram). By adding the following to your snort.lua configuration, you will get a simple URI logger:

data_log = { key = 'http_raw_uri' }

Inspection events coupled with pluggable inspectors provide a very flexible framework for implementing new features. And JIT buffer stuffers allow Snort++ to work smarter, not harder. These capabilities will be leveraged more and more as Snort++ development continues. Look for weekly updates on github (snortadmin/snort3) and monthly updates on snort.org.

In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Thursday, April 23, 2015

We welcome the introduction of the newest rule release from Talos. In this release we introduced 5 new rules and made modifications to 11 additional rules.

There were no changes made to the snort.conf in this release.

Talos's rule release:

Talos has added and modified multiple rules in the browser-ie, browser-other,
exploit-kit, malware-cnc, pua-adware and server-webapp rule sets to provide
coverage for emerging threats from these technologies.

In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Rules to detect attacks targeting these vulnerabilities are included in this
release and are identified with GID 1, SIDs 34178 through 34179.

Talos has added and modified multiple rules in the browser-ie, browser-other,
file-flash, file-pdf, malware-cnc, os-other, os-windows, pua-adware and
server-other rule sets to provide coverage for emerging threats from these
technologies.

In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Rules to detect attacks targeting these vulnerabilities are included in this
release and are identified with GID 1, SIDs 32442 through 32443, 34059 through
34060, 34064 through 34065, 34068 through 34071, 34074 through 34077, 34084
through 34085, and 34089 through 34090.

Microsoft Security Bulletin MS15-033:
A coding deficiency exists in Microsoft Office that may lead to remote code
execution.

Rules to detect attacks targeting these vulnerabilities are included in this
release and are identified with GID 1, SIDs 34062 through 34063, 34066 through
34067, 34086 through 34087, and 34093 through 34094.

Microsoft Security Bulletin MS15-034:
A coding deficiency exists in Microsoft HTTP.sys that may lead to remote code
execution.

A rule to detect attacks targeting this vulnerability is included in this
release and is identified with GID 1, SID 34061.

Microsoft Security Bulletin MS15-035:
A coding deficiency exists in a Microsoft graphics component that may lead to
remode code execution.

Rules to detect attacks targeting these vulnerabilities are included in this
release and are identified with GID 1, SIDs 34082 through 34083.

Microsoft Security Bulletin MS15-036:
A coding deficiency exists in Microsoft SharePoint Server that that may lead to
an escalation of privilege.

Previously released rules will detect attacks targeting this vulnerability and
have been updated with the appropriate reference information. They are included
in this release and are identified with GID 1, SIDs 7070 and 21782.

A new rule to detect attacks targeting this vulnerability is also included in
this release and is identified with GID 1, SID 34099.

Microsoft Security Bulletin MS15-037:
A coding deficiency exists in Microsoft Windows Task Scheduler that that may
lead to an escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this
release and are identified with GID 1, SIDs 34091 through 34092.

Microsoft Security Bulletin MS15-038:
A coding deficiency exists in Microsoft Windows that that may lead to an
escalation of privilege.

Rules to detect attacks targeting these vulnerabilities are included in this
release and are identified with GID 1, SIDs 34078 through 34081 and 34095
through 34096.

Rules to detect attacks targeting these vulnerabilities are included in this
release and are identified with GID 1, SIDs 34097 through 34098.

Microsoft Security Bulletin MS15-041:
A coding deficiency exists in Microsoft .NET Framework that may lead to
information disclosure.

A rule to detect attacks targeting this vulnerability is included in this
release and is identified with GID 1, SID 34088.

Talos has also added and modified multiple rules in the browser-ie, deleted,
exploit-kit, file-executable, file-office, file-other, indicator-obfuscation,
os-windows, policy-other and server-other rule sets to provide coverage for
emerging threats from these technologies.

In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Thursday, April 9, 2015

We welcome the introduction of the newest rule release from Talos. In this release we introduced 12 new rules and made modifications to 3 additional rules.

There were no changes made to the snort.conf in this release.

Talos's rule release:

Talos has added and modified multiple rules in the exploit-kit, file-other,
malware-cnc, os-windows, protocol-dns, server-apache and server-webapp rule
sets to provide coverage for emerging threats from these technologies.

In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Tuesday, April 7, 2015

We welcome the introduction of the newest rule release from Talos. In this release we introduced 23 new rules and made modifications to 8 additional rules.

There were no changes made to the snort.conf in this release.

Talos's rule release:

Talos has added and modified multiple rules in the blacklist, file-flash,
malware-cnc, policy-other and server-webapp rule sets to provide coverage for
emerging threats from these technologies.

In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!

Thursday, April 2, 2015

We welcome the introduction of the newest rule release from Talos. In this release we introduced 40 new rules and made modifications to 19 additional rules.

There were no changes made to the snort.conf in this release.

Talos's rule release:

Talos has added and modified multiple rules in the blacklist, browser-plugins,
exploit-kit, file-flash, indicator-shellcode, malware-cnc, policy-other,
protocol-voip and server-webapp rule sets to provide coverage for emerging
threats from these technologies.

In order to subscribe now to Talos's newest rule detection functionality, you can subscribe for as low as $29 US dollars a year for personal users, be sure and see our business pricing as well at https://www.snort.org/products. Make sure and stay up to date to catch the most emerging threats!